Security News > 2021 > July > New Windows print spooler zero day exploitable via remote print servers

Another zero day vulnerability in Windows Print Spooler can give a threat actor administrative privileges on a Windows machine through a remote server under the attacker's control and the 'Queue-Specific Files' feature.

Since the incomplete fix, security researchers have been heavily scrutinizing the Windows printing APIs and have found further vulnerabilities affecting the Windows print spooler.

Security researcher and Mimikatz creator Benjamin Delpy has publicly disclosed a new zero-day vulnerability that allows a threat actor to easily achieve SYSTEM privileges on a Windows machine through a remote print server under their control.

In a conversation with BleepingComputer, Delpy said that his exploit uses the 'Queue-Specific Files' feature of the Windows Point and Print capability to automatically download and execute a malicious DLL when a client connects to a print server under an attacker's control.

"While Windows enforces that driver packages themselves are signed by a trusted source, Windows printer drivers can specify queue-specific files that are associated with the use of the device. For example, a shared printer can specify a CopyFiles directive for arbitrary ICM files," the new CERT advisory explains.

A better way to prevent this exploit is to restrict Point and Print to a list of approved servers using the 'Package Point and print - Approved servers' group policy.

News URL

https://www.bleepingcomputer.com/news/microsoft/new-windows-print-spooler-zero-day-exploitable-via-remote-print-servers/